I purposely made the first title more dramatic than needed to make people understand that Continuous Auditing needs to be looked at from a different perspective. In fact, it is the original perspective – Risk and Controls – the needs to be adopted. Unfortunately, the concept of Continuous Auditing transformed into “data analysis” which often resulted in auditors simply reporting errors and exceptions and not tying these back to the Control weakness and the Risk. For those of you who did not fall into this trap: congratulations – no need to change anything; except to continually improve.
Also, as previously mentioned, Continuous Auditing was seen as a negative by clients who misunderstood the term to mean that auditor would continuously be looking at their operations (and reporting errors and exceptions). Thus my suggestion: rename Continuous Auditing to Risk-Responsive and Agile (RRA) audit.
Risk-Responsive should be seen as a positive attribute of internal audit. Senior management would understand the important of a continual monitoring of risk levels to identify changes or emerging risks that would negatively impact operations. (Note: ‘continual’ does not mean all the time. The frequency of the monitoring should be based on the level of the risk.) In addition, using data-driven risk indicators would mean that audit is not negatively impacting operations. The analysis can be a non-intrusive assessment of operational data, key risk indicators, and key performance indicators. This would eliminate some of the “we don’t want audit bothering us (again)” attitude.
This brings me to another issue that goes hand-in hand with being risk-responsive: having the correct audit objective. In a previous article “Getting the Most out of your Compliance Audits”, I stressed the importance of having the right audit objective. If your objective is: To ensure compliance with “A.”; and the criteria is: Client should do “A.”, then when you find that (Condition): Client is not doing “A.”, too often the Recommendation is: Do “A.” Not only does this not add any value, but it also doesn’t address the root cause: Why are they not doing “A”?
Audit should be able to conclude on the objective and, when developing recommendations, ensure that the root cause is being addressed. This means that audit objectives should be carefully defined and understood. When developing the audit objectives ask the question: “Will I be able to conclude on the audit?”. You can’t conclude on “To ensure compliance with A”. I try to respond with a Yes or No to determine if the audit objective is correctly defined. I can’t answer Yes or No to “To ensure compliance with A”. Instead of “To ensure compliance with A” the audit objective should focus on the controls that are mitigating the initial risk (why the controls were put in place). Thus, the objective would be more like, “the controls to support compliance with are adequate and effective”.
The next step is to ensure that you have appropriate criteria to support your ability to conclude on the objective. Which controls were put in place to reduce the risk of non-compliance? Determining this will focus your analysis on testing the relevant controls (not the data) and, if you find the controls are not working, the recommendation will address the control weaknesses: not simply “Do A”.
Taking an accounts payable example, RRA audit would first define the audit objective, such as: “The accounts payable controls support the timely and accurate payment of approved invoices.” The next step is to define the data required by the business process, such as Invoice number, date and amount, vendor, payment terms, etc. Then, identify the risks associated with the business process; and the mitigating controls such as paying early, fictitious vendors, etc.. Next, determine the analysis that will test the controls and the data required to perform the analysis. Once these steps have been completed, you are able to perform the analysis and the review and interpret the results. But you are not done yet. The most important step, assuming everything else was done correctly, is to link the results of the analysis back to why you were performing the analysis – to test the controls – and link the controls back to the risk. This will allow you to conclude on the objective.
A/P Example worksheet to identify risk – controls – analytics – data and results:
Using this approach, you will have audit objectives that are supported by analytics; and your analytics will be designed to examine risks by testing the mitigating controls. Further, it is easy to see how the results are related to the mitigating controls and risks. This will focus your analysis and lead to recommendations that directly address the control weaknesses. It also means that the analysis can be re-performed to determine if the recommended action taken by management has addressed the control weaknesses and impact the risk levels.
RRA steps:
This approach will ensure that audit is both risk-responsive and agile in the performance of audits.
Dave Coderre, CAATS (www.caats.ca); and River Analytics and Automation (River AA)
This article has 2 Comments